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Opportunity/risk description (opportunities 
shaded in blue) 


Capacity and Capability: (Cause) Risk that 
increasing demand, public and stakeholder 
expectations, and/or additional unplanned 
work and/or reduced availability of staff 
results in (Threat) key resources being 
overstretched and having insufficient capacity 
to deliver all business plan requirements, 
(Impact) resulting in business operational 
issues and pinch points, possible failure to 
deliver regulatory priority activities and 
impacting upon the ICO’s ability to deliver all 
of its intended objectives and outcomes. 


Compliance culture: (Cause) Risk that as 
demand and capacity increase and/or changes, 
the ICO’s infrastructure and accountability 
culture is unable to (Threat) keep up with the 
pace of change to comply with legal and other 
obligations expected of a modern regulator 
(Impact) impacting upon its ability to maintain 
and increase public trust and be an effective 
and knowledgeable regulator. 


Financial Resilience: (Cause) Risk that 
sensitivities in the income growth forecast and 
new territories of expenditure create 
inaccurate financial forecasting and planning 
assumptions (Threat) leading to insufficient 
funding and financial stress (Impact) impeding 
the ICO’s ability to meet its statutory 
requirements, and full delivery of all of its 
intended IRSP goals and outcomes. 
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Date raised Opportunity/risk description (opportunities 
shaded in blue) 


5 06/04/20 R84 |Major Incident: (Cause) Risk that an internal or 
external major incident occurs (e.g. extreme 
weather, fire incident, chemical incident, 
pandemic (e.g. Covid-19), or deliberate 
incidents such as terrorist acts) which renders 
the ICO unable to utilise part or all of its 
resources and infrastructure (such as staff, 
buildings, IT systems etc) such that (Threat) the 
ICO is unable to deliver some, or in extreme 
cases all of its regulation services, (Impact) 
increasing public information rights risk for a 
period of time and resulting in a reduced 
achievement of the IRSP Goals over the longer 
period. 

06/04/20 R85 |Managing ICO Reputation: (C) Risk that 
decisions are taken without giving due 
consideration to the strategic reputational 
impact on the ICO (T) such that action is not 
taken at the right time to proactively and 
effectively manage the reputation of the ICO 
(I) impacting upon the ICO’s ability to increase 
public trust and confidence, provide excellent 
public service and to demonstrate that it is an 
effective and knowledgeable regulator. 
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22/09/18 R26 __| Improving Productivity: (Cause) Risk that 
growth in the ICO’s investment in 
infrastructure, people and process resources 
(Threat) is not effectively utilised to reduce 
contradictory and duplication of efforts, 
minimise delivery gaps, exploit new business 
models and maximise best use of ICO 
resources such that (Impact) whilst the ICO 
grows it does not improve efficiency and 
productivity and is no better placed to achieve 
the ICO’s IRSP goals and corporate outcomes. 


Opportunity/risk description (opportunities 
shaded in blue) 


27/09/18 R10  |Statutory Codes: (Cause) Risk that significantly 
complex and contentious subject matter (e.g. 
economic impact), alongside competing 
stakeholder audience expectations slows the 
drafting and implementation of Statutory 
Codes of Practice such that (Threat) the ICO is 
unable to deliver the Codes within required 
timescales and to the desired quality through 
the eyes of external stakeholders (Impact) 
impacting negatively on the ICO’s reputation 
and relevance as a regulator to deliver across 
all stakeholders, decreasing its public trust, 
influence and effectiveness. 


10 13/04/18 R11 [ICO fails to deal with issues arising from 
Operation Cederberg in a timely and effective 
way; in particular in relation to the public 
challenge to ICO regulatory decisions. 
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Date raised Opportunity/risk description (opportunities Risk Appetite 
shaded in blue) area 


12 27/11/18 R61 _—_‘|Litigation Resource: (Cause) Risk that multiple | Infrastructure 
or a single significant legal challenge or trend and resources 
emerges (Threat) diverting significant financial 
and non-financial resources into possibly 
lengthy legal disputes (Impact) impacting upon 
the ICO’s ability to legally defend itself which 
could have a domino effect on its decision 
making, its financial resilience, its reputation as 
an effective regulator and diluting its 
operational ability to achieve all of its IRSP 
goals. 

13 07/07/20 R88 Future role of the ICO: (Cause) Government Organisational 
led reviews of the role of the future data change and 
protection regulatory framework, and of the development 
ICO’s role, governance and remit (Threat) leads 
to organisational and stakeholder uncertainty 
(Impact) impeding the ability of the ICO to 
regulate with maximum efficiency and 
effectiveness, plan for the future and have 
clarity of its strategic objectives. 

14 01/04/17 R29 __|Technology Relevant Regulator: (Cause) Staff 
Insufficient resources, knowledge, training and recruitment, 
external engagement prevent the ICO from retention and 
(Threat) engaging with and effectively development 
regulating emerging technology-based threats 
to information rights (Impact) such that is 
impeded in fully achieving all of its IRSP goals, 
in particular goal #6 and results in poor 
reputational perception of the ICO asa 
relevant regulator for cyber related privacy 
issues. 

15 08/03/19 R72  |SMOs: (Cause) Risk that the ICO does not Regulatory 
sufficiently recognise and act on the needs of guidance and 
small organisations such that the ICO (Threat) strategy 
does not provide SMOs with value for money 
relevant services resulting in (impact) low 
levels or awareness, poor trust and 
information rights practices from SMOs 
impacting upon the ICO’s delivery of the IRSP 
goals around increasing public trust and 
confidence, improving standards of practice 
and being an effective regulator. 
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Date raised Opportunity/risk description (opportunities Risk Appetite 
shaded in blue) area 


16 02/09/19 R81 {Management Board and Executive Team Staff 
capacity and resilience may not be sufficient to} recruitment, 
retain clarity of leadership and direction during] retention and 
a critical period of change to the regulatory development 
landscape resulting in delay to the 
achievement of the IRSP goals and operational, 
regulatory and organisational priorities 

17 06/04/20 R83 Organisational 

change and 
development 


51 01/04/18 R21 [Cyber Security: (Cause) Risk that although the Security 
ICO is continuously vigilant with its cyber 
security controls that as the ICO’s profile 
increases and it innovates with new 
technology systems, (Threat) it becomes 
increasingly at risk of a security breach, either 
malicious or inadvertent from within the 
organisation or from external attacks by cyber- 
criminals. (Impact) This could result in many 
negative impacts, such as distress to 
individuals, legal, financial and serious 
reputational damage to the ICO, possible 
penetration and crippling of the ICO’s IT 
systems preventing it from delivering its 
regulatory functions and IRSP goals 
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Date raised Opportunity/risk description (opportunities Risk Appetite |Risk appetite] IRSP Goals Current Current | Current 
shaded in blue) area Probability | Impact | Overall 
priority 


52 15/06/20 R87 {International position: (Cause) The uncertain Reputational Cautious 2 
global context in which ICO operates (in 
particular the UK’s future global relationships 
with and outside the EU and implications of 
the Covid19 pandemic) lead to (threat) the ICO 
failing to develop and maintain effective 
international relationships, thereby reducing 
opportunities to develop global collaborative 
DP approaches on policy, tech and 
interoperability and (Impact) putting at risk our 
ability to protect UK’s public interest through 
bilateral and multilateral delivery. 

63 06/04/20 R86 |Political and Economic Environment: (Cause) Regulatory 2 
Risk that the ICO doesn't have the plans or the 
ability to respond to changes in the economic 
climate, government policy or to government 
attitudes and reviews, meaning that the ICO 
doesn't (Threat) adapt and flex quickly enough 
or in the right way to meet changing 
stakeholder views and needs (Impact) 
preventing the achievement of the IRSP goal to 
be an effective and efficient regulator. 
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